Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2025)3617650

COMMISSION DELEGATED REGULATION (EU) …/... amending Delegated Regulation (EU) 44/2014 as regards laying down technical requirements and testing procedures regarding the protection of L-category vehicles against cyberattacks

Please be aware that this draft act does not constitute the final position of the institution.

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE DELEGATED ACT

The term ‘L-category vehicles’ covers a wide range of vehicle types with two, three and four wheels, e.g. two- and three-wheel mopeds, two- and three-wheel motorcycles, motorcycles with sidecars, and light four-wheel vehicles (quadricycles), such as on-road quads and quadri-mobiles.

With Article 68 of the Cyber Resilience Act, the protection of vehicle against cyberattacks was added as requirement in Regulation (EU) 168/2013 on the approval and market surveillance for L-category vehicles.

UN regulation No 155 on Cyber Security and Cyber Security Management System 1 has been updated 2 to include L-category vehicles and its latest amendments should be included in EU law.

It is therefore necessary to amend Annex I to Commission Delegated Regulation (EU) No 44/2014 on vehicle construction and general requirements, to include a reference to the latest version of UNECE regulation No 155.

This delegated act also amends Delegated Regulation (EU) No 44/2014 by including a new Annex XVIII that clarifies that the Cyber Security requirements stated in Annex II of Regulation (EU) 168/2013 of the European Parliament and of the Council as amended by the Cyber Resilience Act 2024/2847 are referring to those set out in UN regulation No 155.

2.CONSULTATIONS PRIOR TO THE ADOPTION OF THE ACT

To prepare this act, the Commission carried out appropriate consultations with the relevant experts, stakeholders, and Member State experts.

3.LEGAL ELEMENTS OF THE DELEGATED ACT

The legal basis of this delegated act is Article 290 of the Treaty on the Functioning of the European Union, Article 18(3) of Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles 3

COMMISSION DELEGATED REGULATION (EU) …/...

of XXX

amending Delegated Regulation (EU) 44/2014 as regards laying down technical requirements and testing procedures regarding the protection of L-category vehicles against cyberattacks

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles 4 , and in particular Article 18(3) thereof,

Whereas:

(1)The scope of UN Regulation No 155 5 on cyber security and cyber security management system has been extended to include rules on cybersecurity for L-category vehicles (two- and three-wheel vehicles and quadricycles). To make UN Regulation No 155 applicable to L-category vehicles within the Union, it is necessary to include a reference to it in Commission Delegated Regulation (EU) No 44/2014 6

(2)L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013 and pedal cycles exempted from the application of Regulation (EU) No 168/2013 under its Article 2(2), point (h), are not technically different from a cybersecurity perspective. The latter cycles, representing the vast majority (97 % on average) of the product offer of the majority of bicycle manufacturers, would be subject to the cybersecurity requirements laid down in the Regulation (EU) 2024/2847 of the European Parliament and of the Council 7 , whereas the former cycles, representing only a minority (3 % on average) of the product offer of most bicycle manufacturers, would be subject to the cybersecurity requirements of the UN Regulation No 155. Bicycle manufacturers producing electrically assisted bicycles with digital elements are often involved in the production of both pedal cycles as defined under the exception clause of Article 2(2), point (h), of Regulation (EU) No 168/2013 (2) and L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013. Developing the compliance with a different set of cybersecurity requirements for only a minority segment of the total production would create a disproportionate administrative burden for bicycle manufacturers. For those reasons, it is appropriate to exclude L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013 from the scope of Delegated Regulation (EU) 44/2014 as regards cyber security requirements set out therein.

(3)As L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013 are subject to the requirements of Regulation (EU) 2024/2847 under Commission Delegated Regulation EU […./…..] 8 , it is appropriate to align the applicability of the requirements of UN Regulation No 155 with the date of application of Regulation (EU) 2024/2847.

(4)Besides ensuring the compliance of new vehicle types, national authorities and manufacturers need additional time sufficient to ensure that also all existing vehicle types become compliant with the cybersecurity rules under UN Regulation No 155.

(5)Delegated Regulation (EU) No 44/2014 should therefore be amended accordingly,

HAS ADOPTED THIS REGULATION:

Article 1

Amendments to Delegated Regulation (EU) No 44/2014

Regulation (EU) No 44/2014 is amended as follows:

(1)Annex I is amended in accordance with Annex I to this Regulation;

(2)the text set out in Annex II to this Regulation is added as Annex XVIII.

Article 2

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States.

Done at Brussels,

   For the Commission

   The President
   Ursula von der Leyen

Top

ANNEX I

In Annex I, in the table, the following row is added:

‘155

Cyber security and cyber security management system

Supplement 3 to the 00 series of amendments

OJ L, 2025/5, 10.1.2025, ELI: http://data.europa.eu/eli/reg/2025/5/oj  

L1e, L2e, L3e, L4e, L5e, L6e and L7e, except L1e category vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013



ANNEX II

ANNEX XVIII

Requirements applying to the protection of vehicle against cyberattacks

1.Requirements

1.1.‘Type of vehicle with regard to cybersecurity’ means a category of vehicles which do not differ in the following respects:

(a) the manufacturer’s designation of the vehicle type;

(b) essential aspects of the electric/electronic architecture and external interfaces with respect to cyber security.

1.2. Vehicles of categories L1e, , L2e, L3e, L4e, L5e, L6e and L7e, except L1e vehicles designed to pedal referred to in Article 3, point (94)(b), of Regulation 168/2013,  shall meet all the relevant requirements of UN regulation No 155.

1.3. Points 1.1. and 1.2. shall apply as follows:

(a) to new vehicle types from 11 December 2027;

(b) to existing vehicle types from 11 June 2029.

’.

Top